Attacks/Breaches
12/19/2012
06:51 PM
Connect Directly
RSS
E-Mail
50%
50%

Cybercrime Inc.: The Business Of The Digital Black Market

Report by security vendor Fortinet examines the structure of the cyber underworld

Money makes the world go 'round -- especially the world of cybercrime, where criminal groups have exploded in both number and sophistication.

In a new report, researchers at Fortinet dig into how cybercrime organizations continue to grow and generate profits. In a world where services from botnet rentals to black hat search engine optimization (SEO) are all for sale, the money criminals stand to make can be significant. For example, for $80, the report notes, a cyber-ring can get 20,000 backlinks for SEO purposes.

Other services, such as CAPTCHA breaking -- at a cost of $1 per 1,000 CAPTCHAs -- and botnet rentals -- at a cost of $40 per 20,000 spam emails -- are available as well.

"I would say that the organizations before used to be a handful in terms of organized cybercrime -- think of the RBN [Russian Business Network]," says Derek Manky, senior threat researcher at Fortinet's FortiGuard Labs. "Everything from development to network infrastructure and management were essentially in-house to these operations. Nowadays, there's more organizations, thanks to crimeware, crime services, existing source code, etc."

Today's cybercriminal enterprise is a complex ecosystem that encompasses executives, recruiters, and foot soldiers responsible for initiating the actual infection.

"The organization’s 'executives' make decisions, oversee operations, and ensure that everything runs smoothly," according to the Fortinet report. "Just as with legitimate businesses, these executives set up the original business model and infrastructure. Once they get the operation off the ground, they then move to a business development role and hand off the 'dirty work' to the infantry and are not involved with launching attacks."

In order to recruit that infantry, recruiters and affiliate program leads establish Web portals, the report explains, many of which originate in Russia. Some are closed communities that are accessible by invitation only; others, however, are open to the public.

"Oftentimes to protect themselves, open portals include disclaimers on the site that say, 'We do not allow spam or other illicit methods for machine infection,' the report notes. "These are typically in place to put the legal responsibility on the infantry. These portals provide the infantry with all of the necessary information they require to begin an infection campaign. Among other things, these tools include illicit software, support forums, payment rates and tracking and a method in which to receive payments upon completing a certain number of infections."

Fortinet compares the people running the affiliate programs to middle managers who are recruited through "old boy" networks or underground forums.

"To properly arm the infantry, recruiters/affiliates must develop the programs used to infect other systems," the report notes. "These applications include, but are not limited to, fake antivirus software, ransomware, and even botnets."

Crime services such as the ones mentioned above are offered by middlemen at the infantry or syndicate level as a way to make more money, according to the report. And then there are the money mules, who allow the organization to launder its proceeds.

Money mules are often recruited through advertisements and are used to anonymously to move money from one country or bank account to another -- typically using anonymous wire transfer services such as Western Union, Liberty Reserve, U Kash, and WebMoney.

While the report mentions the importance of cracking down on rogue registrars and initiating botnet takedown operations, going after the money is also a great way to hit back on the enforcement side, Manky opines.

"Particularly, the affiliate sponsors -- the ones paying out the money to these PPI/PPP programs -- that is the Achilles heel," he says. "Without that sort of money flow, you take out the infantry [middlemen] who are getting paid via these sponsorship programs. I think it's a good idea, but realistically would require more dedicated resources on the enforcement side -- concentrating mainly on fraud through payment processors, money mules, and affiliate sponsors."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.